Mullvad: Issues with port 53, updated servers

[C9Glax]

Breaking change

No known breaking changes.

Proposed change

When using the current mullvad-configs after the last PR, my container would no longer connect to the internet.
It would establish a connection to the VPN-server, but afterwards timeout with
Inactivity timeout (--ping-exit), exiting
as reason.
I could confirm when connecting to the container, that I was unable to ping any outside servers (tested bing.com, 8.8.8.8, www.google.com).

After reverting the PR and using the normal ports, I was then able to once again use the container normally.

While I was at it, I also updated all configs with the current ones from mullvad and deleted old ones that no longer exist.
I changed default.ovpn to include some of the new servers from USA, Australia, Netherlands

Type of change

• [x] Bugfix (non-breaking change which fixes an issue)
• [ ] New provider (thank you!)
• [x] Updated provider (thank you!)
• [ ] New feature (which adds functionality to a provider script/repo usage)
• [ ] Breaking change (fix/feature causing existing functionality to break)

Additional information

• This PR fixes or closes issue: #204 may be related
• This PR is related to issue: #200

Checklist

• [x] The code change is tested and works locally.
  • Tested spain configs, and default.
• [x] There is no commented out code in this PR.

If user exposed functionality or configuration variables are added/changed:

• [ ] Documentation added/updated

[pkishino]

@Eiqnepm can you please take a look and comment, as you made the previous PR

[eiqnepm]

@Eiqnepm can you please take a look and comment, as you made the previous PR

I don't believe the port alone is the issue. I presume it was a combination of the fact I had not updated the hosts in the default config and Mullvad have updated their ciphers for all their currently listed hosts.

My new PR resolves both these issues. https://github.com/haugene/vpn-configs-contrib/pull/217

[C9Glax]

I don't believe the port alone is the issue. I presume it was a combination of the fact I had not updated the hosts in the default config and Mullvad have updated their ciphers for all their currently listed hosts.

I also tested new configs freshly downloaded from mullvad (with the selected port 53 option), same result. So has to be something else.

[eiqnepm]

I don't believe the port alone is the issue. I presume it was a combination of the fact I had not updated the hosts in the default config and Mullvad have updated their ciphers for all their currently listed hosts.

I also tested new configs freshly downloaded from mullvad (with the selected port 53 option), same result. So has to be something else.

I updated all the ports to a single port for consistency. My only assumption is your network is blocking port 53 for all IPs other than your designated DNS IP. Do you have access to the admin page of your router, and if so what model router do you have?

[C9Glax]

I have my own DNS server, running on port 53... I can make DNS requests inside the container which are answered by 127.0.0.11, which is an adress I have no idea where it is going. It's not my DNS server, which I can confirm by arp telling me a different address. Sadly I can't install traceroute because... No internet connection.

The Container can connect to the VPN-Server just fine (reporting connection established).

 Starting container with revision: 1103172c3288b7de681e2fb7f1378314f17f66cf
transmission  | TRANSMISSION_HOME is currently set to: /config/transmission-home
transmission  | WARNING: Deprecated. Found old default transmission-home folder at /data/transmission-home, setting this as TRANSMISSION_HOME. This might break in future versions.
transmission  | We will fallback to this directory as long as the folder exists. Please consider moving it to /config/transmission-home
transmission  | Creating TUN device /dev/net/tun
transmission  | Using OpenVPN provider: MULLVAD
transmission  | Running with VPN_CONFIG_SOURCE auto
transmission  | No bundled config script found for MULLVAD. Defaulting to external config
transmission  | Downloading configs from https://github.com/haugene/vpn-configs-contrib/archive/main.zip into /tmp/tmp.QOlDTgfOKE
transmission  | Extracting configs to /tmp/tmp.jxjQ9dlfp0
transmission  | Found configs for MULLVAD in /tmp/tmp.jxjQ9dlfp0/vpn-configs-contrib-main/openvpn/mullvad, will replace current content in /etc/openvpn/mullvad
transmission  | Cleanup: deleting /tmp/tmp.QOlDTgfOKE and /tmp/tmp.jxjQ9dlfp0
transmission  | Starting OpenVPN using config default.ovpn
transmission  | Modifying /etc/openvpn/mullvad/default.ovpn for best behaviour in this container
transmission  | Modification: Point auth-user-pass option to the username/password file
transmission  | Modification: Change ca certificate path
transmission  | Modification: Change ping options
transmission  | Modification: Update/set resolv-retry to 15 seconds
transmission  | Modification: Change tls-crypt keyfile path
transmission  | Modification: Set output verbosity to 3
transmission  | Modification: Remap SIGUSR1 signal to SIGTERM, avoid OpenVPN restart loop
transmission  | Modification: Updating status for config failure detection
transmission  | Setting OpenVPN credentials...
transmission  | adding route to local network 192.168.0.0/16 via 172.21.0.1 dev eth0
transmission  | 2023-05-19 16:48:45 Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.
transmission  | 2023-05-19 16:48:45 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
transmission  | 2023-05-19 16:48:45 OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 14 2022
transmission  | 2023-05-19 16:48:45 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
transmission  | 2023-05-19 16:48:45 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
transmission  | 2023-05-19 16:48:45 TCP/UDP: Preserving recently used remote address: [AF_INET]146.70.74.98:53
transmission  | 2023-05-19 16:48:45 Socket Buffers: R=[212992->425984] S=[212992->425984]
transmission  | 2023-05-19 16:48:45 UDP link local: (not bound)
transmission  | 2023-05-19 16:48:45 UDP link remote: [AF_INET]146.70.74.98:53
transmission  | 2023-05-19 16:48:45 TLS: Initial packet from [AF_INET]146.70.74.98:53, sid=b781fe5e 400cffa6
transmission  | 2023-05-19 16:48:45 VERIFY OK: depth=2, C=SE, ST=Gotaland, L=Gothenburg, O=Amagicom AB, OU=Mullvad, CN=Mullvad Root CA v2, emailAddress=security@mullvad.net
transmission  | 2023-05-19 16:48:45 VERIFY OK: depth=1, C=SE, ST=Gotaland, O=Amagicom AB, OU=Mullvad, CN=Mullvad Intermediate CA v5, emailAddress=security@mullvad.net
transmission  | 2023-05-19 16:48:45 VERIFY KU OK
transmission  | 2023-05-19 16:48:45 Validating certificate extended key usage
transmission  | 2023-05-19 16:48:45 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
transmission  | 2023-05-19 16:48:45 VERIFY EKU OK
transmission  | 2023-05-19 16:48:45 VERIFY OK: depth=0, C=SE, ST=Gotaland, O=Amagicom AB, OU=Mullvad, CN=es-mad-ovpn-202.mullvad.net, emailAddress=security@mullvad.net
transmission  | 2023-05-19 16:48:45 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1534'
transmission  | 2023-05-19 16:48:45 WARNING: 'auth' is used inconsistently, local='auth SHA1', remote='auth [null-digest]'
transmission  | 2023-05-19 16:48:45 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 4096 bit RSA, signature: RSA-SHA256
transmission  | 2023-05-19 16:48:45 [es-mad-ovpn-202.mullvad.net] Peer Connection Initiated with [AF_INET]146.70.74.98:53
transmission  | 2023-05-19 16:48:46 SENT CONTROL [es-mad-ovpn-202.mullvad.net]: 'PUSH_REQUEST' (status=1)
transmission  | 2023-05-19 16:48:46 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.7.0.1,redirect-gateway def1 bypass-dhcp,route-ipv6 0000::/2,route-ipv6 4000::/2,route-ipv6 8000::/2,route-ipv6 C000::/2,route-gateway 10.7.0.1,topology subnet,socket-flags TCP_NODELAY,ifconfig-ipv6 fdda:d0d0:cafe:53::1006/64 fdda:d0d0:cafe:53::,ifconfig 10.7.0.8 255.255.0.0,peer-id 6,cipher AES-256-GCM'
transmission  | 2023-05-19 16:48:46 OPTIONS IMPORT: --socket-flags option modified
transmission  | 2023-05-19 16:48:46 NOTE: setsockopt TCP_NODELAY=1 failed
transmission  | 2023-05-19 16:48:46 OPTIONS IMPORT: --ifconfig/up options modified
transmission  | 2023-05-19 16:48:46 OPTIONS IMPORT: route options modified
transmission  | 2023-05-19 16:48:46 OPTIONS IMPORT: route-related options modified
transmission  | 2023-05-19 16:48:46 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
transmission  | 2023-05-19 16:48:46 OPTIONS IMPORT: peer-id set
transmission  | 2023-05-19 16:48:46 OPTIONS IMPORT: adjusting link_mtu to 1624
transmission  | 2023-05-19 16:48:46 OPTIONS IMPORT: data channel crypto options modified
transmission  | 2023-05-19 16:48:46 Data Channel: using negotiated cipher 'AES-256-GCM'
transmission  | 2023-05-19 16:48:46 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
transmission  | 2023-05-19 16:48:46 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
transmission  | 2023-05-19 16:48:46 net_route_v4_best_gw query: dst 0.0.0.0
transmission  | 2023-05-19 16:48:46 net_route_v4_best_gw result: via 172.21.0.1 dev eth0
transmission  | 2023-05-19 16:48:46 ROUTE_GATEWAY 172.21.0.1/255.255.0.0 IFACE=eth0 HWADDR=02:42:ac:15:00:02
transmission  | 2023-05-19 16:48:46 GDG6: remote_host_ipv6=n/a
transmission  | 2023-05-19 16:48:46 net_route_v6_best_gw query: dst ::
transmission  | 2023-05-19 16:48:46 sitnl_send: rtnl: generic error (-101): Network is unreachable
transmission  | 2023-05-19 16:48:46 ROUTE6: default_gateway=UNDEF
transmission  | 2023-05-19 16:48:46 TUN/TAP device tun0 opened
transmission  | 2023-05-19 16:48:46 net_iface_mtu_set: mtu 1500 for tun0
transmission  | 2023-05-19 16:48:46 net_iface_up: set tun0 up
transmission  | 2023-05-19 16:48:46 net_addr_v4_add: 10.7.0.8/16 dev tun0
transmission  | 2023-05-19 16:48:46 net_iface_mtu_set: mtu 1500 for tun0
transmission  | 2023-05-19 16:48:46 net_iface_up: set tun0 up
transmission  | 2023-05-19 16:48:46 net_addr_v6_add: fdda:d0d0:cafe:53::1006/64 dev tun0
transmission  | 2023-05-19 16:48:46 net_route_v4_add: 146.70.74.98/32 via 172.21.0.1 dev [NULL] table 0 metric -1
transmission  | 2023-05-19 16:48:46 net_route_v4_add: 0.0.0.0/1 via 10.7.0.1 dev [NULL] table 0 metric -1
transmission  | 2023-05-19 16:48:46 net_route_v4_add: 128.0.0.0/1 via 10.7.0.1 dev [NULL] table 0 metric -1
transmission  | 2023-05-19 16:48:46 add_route_ipv6(::/2 -> fdda:d0d0:cafe:53:: metric -1) dev tun0
transmission  | 2023-05-19 16:48:46 net_route_v6_add: ::/2 via :: dev tun0 table 0 metric -1
transmission  | 2023-05-19 16:48:46 add_route_ipv6(4000::/2 -> fdda:d0d0:cafe:53:: metric -1) dev tun0
transmission  | 2023-05-19 16:48:46 net_route_v6_add: 4000::/2 via :: dev tun0 table 0 metric -1
transmission  | 2023-05-19 16:48:46 add_route_ipv6(8000::/2 -> fdda:d0d0:cafe:53:: metric -1) dev tun0
transmission  | 2023-05-19 16:48:46 net_route_v6_add: 8000::/2 via :: dev tun0 table 0 metric -1
transmission  | 2023-05-19 16:48:46 add_route_ipv6(c000::/2 -> fdda:d0d0:cafe:53:: metric -1) dev tun0
transmission  | 2023-05-19 16:48:46 net_route_v6_add: c000::/2 via :: dev tun0 table 0 metric -1
transmission  | Up script executed with device=tun0 ifconfig_local=10.7.0.8
transmission  | Updating TRANSMISSION_BIND_ADDRESS_IPV4 to the ip of tun0 : 10.7.0.8
transmission  | Using Flood for Transmission UI, overriding TRANSMISSION_WEB_HOME
transmission  | Enforcing ownership on transmission directories
transmission  | Applying permissions to transmission directories
transmission  | Setting owner for transmission paths to 1000:1000
transmission  | Setting permissions for download and incomplete directories
transmission  | /etc/transmission/userSetup.sh: line 56: "002": syntax error: operand expected (error token is ""002"")
transmission  | /etc/transmission/userSetup.sh: line 57: "002": syntax error: operand expected (error token is ""002"")
transmission  | umask: 60
transmission  | Directories:
transmission  | Files:
transmission  | chmod: invalid mode: ''
transmission  | Try 'chmod --help' for more information.
transmission  | chmod: invalid mode: ''
transmission  | Try 'chmod --help' for more information.
transmission  | Setting permission for watch directory (775) and its files (664)
transmission  |
transmission  | -------------------------------------
transmission  | Transmission will run as
transmission  | -------------------------------------
transmission  | User name:   abc
transmission  | User uid:    1000
transmission  | User gid:    1000
transmission  | -------------------------------------
transmission  |
transmission  | Updating Transmission settings.json with values from env variables
transmission  | Attempting to use existing settings.json for Transmission
transmission  | Successfully used existing settings.json /data/transmission-home/settings.json
transmission  | Overriding bind-address-ipv4 because TRANSMISSION_BIND_ADDRESS_IPV4 is set to 10.7.0.8
transmission  | Overriding download-dir because TRANSMISSION_DOWNLOAD_DIR is set to /data/completed
transmission  | Overriding incomplete-dir because TRANSMISSION_INCOMPLETE_DIR is set to /data/incomplete
transmission  | Overriding rpc-password because TRANSMISSION_RPC_PASSWORD is set to [REDACTED]
transmission  | Overriding rpc-port because TRANSMISSION_RPC_PORT is set to 8020
transmission  | Overriding rpc-username because TRANSMISSION_RPC_USERNAME is set to
transmission  | Overriding watch-dir because TRANSMISSION_WATCH_DIR is set to /data/watch
transmission  | sed'ing True to true
transmission  | STARTING TRANSMISSION
transmission  | Transmission startup script complete.
transmission  | 2023-05-19 16:48:46 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
transmission  | 2023-05-19 16:48:46 Initialization Sequence Completed
transmission  | 2023-05-19 16:50:37 [es-mad-ovpn-202.mullvad.net] Inactivity timeout (--ping-exit), exiting
transmission  | 2023-05-19 16:50:37 /etc/openvpn/tunnelDown.sh tun0 1500 1552 10.7.0.8 255.255.0.0 init
transmission  | resolv.conf backup not found, could not restore
transmission  | Sending kill signal to transmission-daemon
transmission  | Successfuly closed transmission-daemon
transmission  | 2023-05-19 16:50:38 net_route_v4_del: 146.70.74.98/32 via 172.21.0.1 dev [NULL] table 0 metric -1
transmission  | 2023-05-19 16:50:38 net_route_v4_del: 0.0.0.0/1 via 10.7.0.1 dev [NULL] table 0 metric -1
transmission  | 2023-05-19 16:50:38 net_route_v4_del: 128.0.0.0/1 via 10.7.0.1 dev [NULL] table 0 metric -1
transmission  | 2023-05-19 16:50:38 delete_route_ipv6(::/2)
transmission  | 2023-05-19 16:50:38 net_route_v6_del: ::/2 via :: dev tun0 table 0 metric -1
transmission  | 2023-05-19 16:50:38 delete_route_ipv6(4000::/2)
transmission  | 2023-05-19 16:50:38 net_route_v6_del: 4000::/2 via :: dev tun0 table 0 metric -1
transmission  | 2023-05-19 16:50:38 delete_route_ipv6(8000::/2)
transmission  | 2023-05-19 16:50:38 net_route_v6_del: 8000::/2 via :: dev tun0 table 0 metric -1
transmission  | 2023-05-19 16:50:38 delete_route_ipv6(c000::/2)
transmission  | 2023-05-19 16:50:38 net_route_v6_del: c000::/2 via :: dev tun0 table 0 metric -1
transmission  | 2023-05-19 16:50:38 Closing TUN/TAP interface
transmission  | 2023-05-19 16:50:38 net_addr_v4_del: 10.7.0.8 dev tun0
transmission  | 2023-05-19 16:50:38 net_addr_v6_del: fdda:d0d0:cafe:53::1006/64 dev tun0
transmission  | 2023-05-19 16:50:38 SIGTERM[soft,ping-exit] received, process exiting
transmission exited with code 0

[C9Glax]

Ah 127.0.0.11 is inside the container of course... bruh moment

[eiqnepm]

transmission  | Downloading configs from https://github.com/haugene/vpn-configs-contrib/archive/main.zip into /tmp/tmp.QOlDTgfOKE

Can you try using the updated hosts and ciphers by setting the environment variable GITHUB_CONFIG_SOURCE_REPO to Eiqnepm/vpn-configs-contrib?

[C9Glax]

Of course. transmission | Downloading configs from https://github.com/Eiqnepm/vpn-configs-contrib/archive/main.zip into /tmp/tmp.PrHBpGkAPO Same result sadly. I guess my network-setup or some setting/firewall is blocking traffic over port 53...

[eiqnepm]

I also tested new configs freshly downloaded from mullvad (with the selected port 53 option), same result. So has to be something else.

I guess my network-setup or some setting/firewall is blocking traffic over port 53...

Considering you tried sourcing directly from Mullvad and ran into the same result would indicate that this is an issue with your network rather than the configs themselves.

Have you tried setting the environment variable PEER_DNS to false?

[C9Glax]

Considering you tried sourcing directly from Mullvad and ran into the same result would indicate that this is an issue with your network rather than the configs themselves.

Oh 100%.

Have you tried setting the environment variable PEER_DNS to false?

Was the entire time

[eiqnepm]

Have you tried setting the environment variable PEER_DNS to false?

Was the entire time

I assume you've also tried setting it to true?

[C9Glax]

Not before this, but now i have tried, same result. Only that I no longer have a working DNS-Server inside the container.

[eiqnepm]

Can you give me the output of these commands on your host machine?

netcat -zv 1.1.1.1 53
netcat -uzv 1.1.1.1 53

[C9Glax]

netcat -zv 1.1.1.1 53
Connection to 1.1.1.1 53 port [tcp/domain] succeeded!

netcat -uzv 1.1.1.1 53
Connection to 1.1.1.1 53 port [udp/domain] succeeded!

Appreciate you

[eiqnepm]

What does your Docker Compose file look like?

[C9Glax]

version: "3.3"
services:
  transmission:
    image: haugene/transmission-openvpn
    container_name: transmission
    logging:
      driver: json-file
      options:
        max-size: 10m
    environment:
      - PUID=1000
      - PGID=1000
      - PEER_DNS=false
      - LOCAL_NETWORK=192.168.0.0/16
      - TZ=Europe/Berlin
      - OPENVPN_PROVIDER=MULLVAD
      - OPENVPN_CONFIG=es_all
      - OPENVPN_USERNAME=<redacted>
      - OPENVPN_PASSWORD=m
      - TRANSMISSION_RPC_PORT=8020
      - TRANSMISSION_WEB_UI=flood-for-transmission
#      - GITHUB_CONFIG_SOURCE_REPO=C9Glax/vpn-configs-contrib
      - GITHUB_CONFIG_SOURCE_REPO=Eiqnepm/vpn-configs-contrib
    volumes:
      - /mnt/raid/Services/transmission:/data
      - <redacted>/config:/config
    ports:
      - 8020:8020
    cap_add:
      - NET_ADMIN
    sysctls:
      - "net.ipv6.conf.all.disable_ipv6=0"
    restart: unless-stopped

ipv6 is disabled, because provider is doing funny business.

[eiqnepm]

Try adding this to your transmission service

dns:
  - 1.1.1.1

[C9Glax]

/etc/resolv.conf still showing 127.0.0.11 No change

[eiqnepm]

Is your DNS server running on the host machine in a Docker container? If it is could you show me the ports section of that Docker Compose file?

[C9Glax]

It's running in network_mode: host with unbound. So no ports specified. Standard 53 and something else for the UI.

[eiqnepm]

have you tried setting your Unbound server to listen on the local address of your host machine (something starting with 192.168.0.), rather than 0.0.0.0?

[C9Glax]

Actually haven't. I appreciate your help, but gotta go get groceries. Since I have a working solution I will continue using it for now. I will reply with results of your last suggestion if you want to continue another time.